“You Are Known By The Company You Keep” — Including Vendors Without Business Associate Agreements

Colin Zick
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP - Privacy & Data Security

The concept that one is known by the company one keeps dates back to ancient times (the particular phrase is attributed to both Aesop and the Book of Proverbs).  But this simple aphorism continues to be true.  A recent example is the $500,000 that Advanced Care Hospitalists (ACH) had to pay to the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) to settle potential violations of the HIPAA Privacy and Security Rules.

ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually.  Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner!  On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, date of birth and Social Security number.  ACH found 8,855 patients could have been affected by this breach.

OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

What lessons to take away from ACH’s misfortune?

  • Adopt a policy of investigating all vendors (new ones and ones you are currently doing business with)
  • Adopt a policy of requiring HIPAA business associate agreements with all vendors handling PHI
  • Conduct a HIPAA risk analysis and staff training annually

In sum, do as that old Russian proverb suggests, “Доверяй, но проверяйTrust, but verify.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide